Tunel IPSEC



  • Boa tarde pessoal.
    Estou tentando fechar um tunel IPSEC entre 2 empresas, em meus testes (usando VMWARE) funciona de boa com as configurações básicas, acontece que ao utilizar essas mesmas configurações em produção, o link não fecha nenhuma vez. Minhas Configurações são:

    LADO 1
    Ip dinamico pfsense 2.2.5 conectado por pppoe
    LAN 192.178.10.1

    Fase 1
    Negotiation - Main
    Encryption algorithm - AES 256
    Hash Algorithm - SHA1
    DH key group - 2

    Phase2
    remote network 192.168.0.0/16
    ESP - AES AUTO
    Hash - SHA1
    PFS - off

    segundo lado igual porem utilizando minha rede 192.178.10.0/24

    Configuração do PFsense no lado 2
    LAN 192.168.2.254 (DHCP do 192.168.1.1 a 192.168.2.10)

    Esse lado o servidor está atras de um modem Draytek que faz um balanceamento de rede.
    Nesse servidor tambem já existe uma VPN IPSEC ativa com um modem roteador draytek em um outro lado.

    Nos logs ficam assim:

    Jul 15 16:41:44 charon 16[CFG] added configuration 'bypasslan'
    Jul 15 16:41:44 charon 14[CFG] received stroke: route 'bypasslan'
    Jul 15 16:41:44 ipsec_starter 35550 'bypasslan' shunt PASS policy installed
    Jul 15 16:41:44 charon 08[CFG] received stroke: add connection 'con1000'
    Jul 15 16:41:44 charon 08[CFG] added configuration 'con1000'
    Jul 15 16:41:44 charon 06[CFG] received stroke: route 'con1000'
    Jul 15 16:41:44 ipsec_starter 35550 'con1000' routed
    Jul 15 16:42:00 charon 14[CFG] received stroke: terminate 'con1000'
    Jul 15 16:42:00 charon 14[CFG] no IKE_SA named 'con1000' found
    Jul 15 16:42:00 charon 10[CFG] received stroke: initiate 'con1000'
    Jul 15 16:42:00 charon 09[IKE] <con1000|1>initiating Main Mode IKE_SA con1000[1] to xxx.xxx.xxx.xxx
    Jul 15 16:42:00 charon 09[ENC] <con1000|1>generating ID_PROT request 0 [ SA V V V V V ]
    Jul 15 16:42:00 charon 09[NET] <con1000|1>sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (180 bytes)
    Jul 15 16:42:00 charon 09[NET] <con1000|1>received packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (180 bytes)
    Jul 15 16:42:00 charon 09[ENC] <con1000|1>parsed ID_PROT response 0 [ SA V V V V V ]
    Jul 15 16:42:00 charon 09[IKE] <con1000|1>received XAuth vendor ID
    Jul 15 16:42:00 charon 09[IKE] <con1000|1>received DPD vendor ID
    Jul 15 16:42:00 charon 09[IKE] <con1000|1>received Cisco Unity vendor ID
    Jul 15 16:42:00 charon 09[IKE] <con1000|1>received FRAGMENTATION vendor ID
    Jul 15 16:42:00 charon 09[IKE] <con1000|1>received NAT-T (RFC 3947) vendor ID
    Jul 15 16:42:00 charon 09[ENC] <con1000|1>generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Jul 15 16:42:00 charon 09[NET] <con1000|1>sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (244 bytes)
    Jul 15 16:42:00 charon 09[NET] <con1000|1>received packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (244 bytes)
    Jul 15 16:42:00 charon 09[ENC] <con1000|1>parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Jul 15 16:42:00 charon 09[IKE] <con1000|1>local host is behind NAT, sending keep alives
    Jul 15 16:42:00 charon 09[IKE] <con1000|1>remote host is behind NAT
    Jul 15 16:42:00 charon 09[ENC] <con1000|1>generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    Jul 15 16:42:00 charon 09[NET] <con1000|1>sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (108 bytes)
    Jul 15 16:42:00 charon 16[NET] <con1000|1>received packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (92 bytes)
    Jul 15 16:42:00 charon 16[ENC] <con1000|1>parsed INFORMATIONAL_V1 request 29414898 [ HASH N(AUTH_FAILED) ]
    Jul 15 16:42:00 charon 16[IKE] <con1000|1>received AUTHENTICATION_FAILED error notify
    Jul 15 16:42:59 charon 08[NET] <2> received packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (200 bytes)
    Jul 15 16:42:59 charon 08[ENC] <2> parsed ID_PROT request 0 [ SA V V V V V V ]
    Jul 15 16:42:59 charon 08[IKE] <2> received XAuth vendor ID
    Jul 15 16:42:59 charon 08[IKE] <2> received DPD vendor ID
    Jul 15 16:42:59 charon 08[IKE] <2> received Cisco Unity vendor ID
    Jul 15 16:42:59 charon 08[IKE] <2> received FRAGMENTATION vendor ID
    Jul 15 16:42:59 charon 08[IKE] <2> received NAT-T (RFC 3947) vendor ID
    Jul 15 16:42:59 charon 08[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jul 15 16:42:59 charon 08[IKE] <2> xxx.xxx.xxx.xxx is initiating a Main Mode IKE_SA
    Jul 15 16:42:59 charon 08[ENC] <2> generating ID_PROT response 0 [ SA V V V V ]
    Jul 15 16:42:59 charon 08[NET] <2> sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (160 bytes)
    Jul 15 16:43:00 charon 08[NET] <2> received packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (244 bytes)
    Jul 15 16:43:00 charon 08[ENC] <2> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Jul 15 16:43:00 charon 08[IKE] <2> local host is behind NAT, sending keep alives
    Jul 15 16:43:00 charon 08[IKE] <2> remote host is behind NAT
    Jul 15 16:43:00 charon 08[ENC] <2> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Jul 15 16:43:00 charon 08[NET] <2> sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (244 bytes)
    Jul 15 16:43:20 charon 14[IKE] <2> sending keep alive to xxx.xxx.xxx.xxx[500]
    Jul 15 16:43:30 charon 10[JOB] <2> deleting half open IKE_SA after timeout

    Será que alguem que já tenha passado por isso possa me dar uma luz??</con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1>